Sun Java System Directory Server Enterprise Edition 6.3 Administration Guide

ProcedureTo Configure Attribute Encryption

You can use DSCC to perform this task. For information, see Directory Service Control Center Interface and the DSCC online help.

  1. If the suffix on which you want to configure attribute encryption contains any entries whatsoever, you must first export the contents of that suffix to an LDIF file.

    If the suffix contains encrypted attributes and you plan to re-initialize the suffix using the exported LDIF file, you can leave the attributes encrypted in the exported LDIF .

  2. To enable encryption for an attribute, use this command:

    $ dsconf create-encrypted-attr -h host -p port suffix-DN attr-name cipher-name

    where cipher-name is one of the following:

    • des - DES block cipher

    • des3 - Triple-DES block cipher

    • rc2 - RC2 block cipher

    • rc4 - RC4 stream cipher

    For example:

    $ dsconf create-encrypted-attr -h host1 -p 1389 dc=example,dc=com uid rc4
  3. To return an encrypted attribute to its original state, use this command:

    $ dsconf delete-encrypted-attr -h host -p port suffix-DN attr-name
  4. If you have changed the configuration to encrypt one or more attributes, and these attributes had values before the import operation, clear the database cache and remove the log.

    Any unencrypted values will not be visible in the database cache and database log.

    Note –

    If you delete these files, you will lose some tracking information. In addition, after you delete these files, the server will be in recovery mode, and might take a long time to restart.

    To clear the database cache and remove the log:

    1. Stop Directory Server as described in Starting, Stopping, and Restarting a Directory Server Instance.

    2. As root or a user with administrator privileges, delete the database cache files from your file system.

      # rm instance-path/db/__db.*
    3. Delete the database log file from your file system.

      # rm instance-path/db/log.0000000001
    4. Restart Directory Server.

      The server will automatically create new database cache files. Performance of operations in this suffix might be slightly impacted until the cache is filled again.

  5. Initialize the suffix with an LDIF file as described in Initializing a Suffix.

    As the file is loaded and the corresponding indexes are created, all values of the specified attributes will be encrypted.